Security Incidents mailing list archives
Re: Undernet/telnet attempts?
From: Stephen.Cooper () BIS ORG (Stephen Cooper)
Date: Thu, 9 Mar 2000 11:24:47 +0100
Hello, I recently left a large middle eastern country (I do not wish to be inflamatory, so I will not name it in a public forum), having experienced certain phenomena there, your email makes me smile!!!! In that country the Internet backbone is concealed behind a massive firewall and a bank of Squid proxy servers, which blocks ports 80 and 443. Not many people outside will see much of what I will describe. However, should you dial-in to a local ISP (of which there are a lot) and be running a tool such as Back Officer Friendly or BlackICE or equivalent, you will be absolutely bombarded by telnet attempts, backorifice probes, ping scans , port scans and on and on. You do not need to be running. All coming from Dial-up users connected to that backbone via various ISPs. Its kind of disturbing when you first see it, but you get used to it and there is very little you can do about it. It kind of puts a minor thing like you describe into perspective. This email expresses personal opinions that absolutely no relation to my current occupation. Regards, Stephen.
"Tibor, Mike" <tibor () LIB UAA ALASKA EDU> 02/23/00 02:06am >>>
On Fri, 18 Feb 2000, SecOrg wrote:
I have gotten a number of telnet attempts/scans on my server from undernet IRC hosts. A couple of the hosts were dallas-r.tx.us.undernet.org ProxyScan.MD.US.Undernet.Org As the name implies, I am guessing they are scanning wingates/proxies, etc for security/eggdrop reasons. Does anyone know if they scan all incoming connections for telnet(wingate) ports? And if so, why they would try to connect to it afterwards? Maybe some kind of fingerprinting technique that would find out if it is a open wingate?
I've experienced those probes myself, and in email exchanges with the technical contacts (angel111 () ns2 cetlink net, danny () chatsystems com, abuse () undernet org, noc () u1 abs net), they vehemently claim to only probe each machine when it makes an IRC connection to them (ie, the incoming IRC connection triggers the probe) The problem *I* have with it is that when I confronted them they couldn't produce any evidence my server ever made those connections--they apparently don't keep any logs. In my case it's rather interesting as only 4 people other than myself have shell access to my server, and none of us has *ever* done any IRC activity from it (and I'm also confident it hasn't been rooted). Mike -- Mike Tibor Univ. of Alaska Anchorage (907) 786-1001 voice LAN Technician Consortium Library (907) 786-6050 fax tibor () lib uaa alaska edu http://www.lib.uaa.alaska.edu/~tibor/ http://www.lib.uaa.alaska.edu/~tibor/pgpkey for PGP public key DISCLAIMER: Any e-mail messages from the Bank for International Settlements are sent in good faith, but shall not be binding nor construed as constituting any obligation on the part of the Bank. CONFIDENTIALITY NOTICE: This e-mail contains confidential information, which is intended only for the use of the recipient(s) named above. If you have received this communication in error, please notify the sender immediately via e-mail and return the entire message. Thank you for your assistance.
Current thread:
- Re: Undernet/telnet attempts? Stephen Cooper (Mar 09)
- <Possible follow-ups>
- Re: Undernet/telnet attempts? Peter Foreman (Mar 13)